# [CRIT] [GHSA / CRITICAL] CVE-2026-55255: Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow **Source:** GitHub Security Advisories **Published:** 2026-06-19 **Article:** https://github.com/advisories/GHSA-qrpv-q767-xqq2 ## Threat Profile Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow ## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. ## Details The vulnerability exists in the `get_flow_by_id_or_endpoint_name` helper function in [`src/backend/base/langflow/helpers/flow.py` (lines… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-55255` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1213** — Data from Information Repositories ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Langflow IDOR endpoint access — POST to /api/v1/responses (CVE-2026-55255) `UC_8_1` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Web.Web where Web.http_method=POST AND (Web.url="*/api/v1/responses*" OR Web.url="*/api/v2/workflow*" OR Web.url="*/api/v1/run*") by Web.src, Web.dest, Web.user, Web.url, Web.status, _time span=1m | `drop_dm_object_name("Web")` | sort - _time ``` ### Langflow IDOR enumeration — single source fan-out to /api/v1/responses (CVE-2026-55255) `UC_8_2` · phase: **recon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Web.Web where Web.http_method=POST AND Web.url="*/api/v1/responses*" by Web.src, Web.user, _time span=5m | `drop_dm_object_name("Web")` | where count > 20 | sort - count ``` ### Asset exposure — Langflow instances vulnerable to CVE-2026-55255 (<1.9.1) `UC_8_3` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve="CVE-2026-55255" by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.severity | `drop_dm_object_name("Vulnerabilities")` | sort - count ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-55255" | join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, IsInternetFacing) by DeviceId) on DeviceId | project DeviceName, DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, IsInternetFacing | order by IsInternetFacing desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-55255` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 2 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.